Skip to content

Potential fix for code scanning alert no. 26: Unsafe shell command constructed from library input #170

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
VenelinBakalov wants to merge 1 commit into from
Closed

Potential fix for code scanning alert no. 26: Unsafe shell command constructed from library input #170

VenelinBakalov wants to merge 1 commit into from

Conversation

@VenelinBakalov
Copy link
Collaborator

@VenelinBakalov VenelinBakalov commented Sep 29, 2025

Potential fix for https://github.com/vmware/vrealize-developer-tools/security/code-scanning/26

To fix this issue, we need to ensure that untrusted input (workflowsPath, as well as any other interpolated data) does not cause unexpected behavior or command injection when constructing and executing shell commands. The general approach is to avoid concatenating unsanitized inputs into shell command strings. There are two options:

  1. If possible, invoke the command using an array of arguments (with child_process.execFile or equivalent), so that arguments are properly escaped and not interpreted by the shell.
  2. If the command must be constructed such that the shell is required (for example, if you are using pipes, redirection, etc.), escape any potentially unsafe input using a library like shell-quote.

In this context, since the command seems not to require shell-specific features (no pipes, redirection, etc.), the best fix is to construct an argument array and use proc.execFile instead of proc.exec, passing input as arguments. This entails:

  • Refactoring the construction of the Maven command so that it is split into a command name and an arguments array.
  • Updating the call to proc.exec to use proc.execFile (or equivalent), or refactoring proc.exec itself if it wraps both kinds of execution.
  • Ensuring all values interpolated into command-line arguments (like workflowsPath, groupId, artifactId, etc.) are passed as array elements rather than interpolated into a string.

Necessary changes are limited to the createProject method in MavenCliProxy.ts:

  • Construct the command and its arguments as separate strings and arrays.
  • Use proc.execFile (presuming it exists and functions like Node’s child_process.execFile).

If the proc module does not already support execFile, you may need to implement that or, minimally, adjust proc.exec to allow array arguments (but only within the shown code).

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

@VenelinBakalov @github-advanced-security
Potential fix for code scanning alert no. 26: Unsafe shell command co…
0af05c5 
…nstructed from library input

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@github-actions github-actions bot added the bug label Sep 29, 2025
@VenelinBakalov VenelinBakalov marked this pull request as ready for review September 29, 2025 07:37
@VenelinBakalov VenelinBakalov requested a review from a team as a code owner September 29, 2025 07:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

bug

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@VenelinBakalov